---
layout: docs
page_title: FIPS compliance in Vault
description: >-
  Learn about FIPS compliance options in Vault.
---

# FIPS compliance in Vault

@include 'alerts/enterprise-only.mdx'

The [Federal Information Processing Standard](https://www.nist.gov/federal-information-standards-fips)
is a cryptography-focused certification standard for U.S. Government usage.

Hashicorp's Vault Enterprise supports the modes of FIPS compliance documented below.

## FIPS 140-2 inside

Vault Enterprise now includes release flavors with FIPS 140-2 compliant
cryptography built into the Vault binary. More information on these releases
can be found on the [FIPS 140-2 Inside](/vault/docs/enterprise/fips/fips1402) page.

## Seal wrap

Before our FIPS Inside effort, Vault [depended on](https://www.hashicorp.com/vault-compliance)
an external HSM for FIPS 140-2 compliance. This uses the [Seal Wrap](/vault/docs/enterprise/fips/sealwrap)
functionality to wrap security relevant keys in an extra layer of encryption.

## Comparison of versions

The below table attempts to documents the FIPS compliance of various Vault
operations between FIPS Inside and FIPS Seal Wrap. This table is by no means
an official evaluation of either product; refer to the Leidos Letters of
Attestation for that information.

| Feature                           | FIPS Inside              | FIPS Seal Wrap                           |
| :-------------------------------- | :----------------------- | :--------------------------------------- |
| Entropy Augmentation              | Not Supported            | Yes                                      |
| TLS Listener                      | Yes                      | No                                       |
| Vault HA/DR/Raft TLS              | Yes                      | No                                       |
| Barrier Storage                   | Yes                      | No                                       |
| Seal Wrapping of CSPs             | With FIPS-Compliant HSM  | With FIPS-Compliant HSM                  |
| SSH CA Operations                 | Yes with FIPS algorithms | No                                       |
| Transit Operations                | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| PKI Operations                    | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| KMIP (Key Creation & Use)         | Yes with FIPS algorithms | No                                       |
| Transform Tokenization            | Yes                      | No                                       |
| Vault Agent TLS & Internal Crypto | Yes                      | No                                       |
| Vault to External Plugin TLS      | Yes from Vault's side    | No                                       |
| Plugin to third-party service TLS | Yes from Vault's side    | No                                       |
| Auth Plugins' Internal Crypto     | Yes with FIPS algorithms | No                                       |
